Erik Decker (right) of Intermountain Health, speaks Tuesday during a House subcommittee hearing on cybersecurity risks of legacy medical devices. Seated next to him is Dr. Christian Dameff of the University of California San Diego Health.
Photo: Susan Morse, HFN HIMSS/Energycommerce.house.gov
A hearing before a House Energy and Commerce subcommittee Tuesday on the safety of legacy medical devices became a forum for Democrats to protest staffing cuts at Health and Human Services, one of the federal departments tasked with cybersecurity protection.
HHS Secretary Robert F. Kenney Jr. announced last week that he is terminating 20,000 positions and shuttering regional offices across the country, “creating further chaos and turmoil for federal employees and the people depending on the services they provide,” said Yvette Clark, D-N.Y., ranking member of the Energy and Commerce Oversight and Investigations Subcommittee. “I have difficulty seeing how we can have a hearing about how the FDA [Food and Drug Administration] should approach legacy medical device cybersecurity without first addressing the fact that the Trump administration and DOGE [Department of Government Efficiency] are dismantling the very agency responsible for medical device safety.”
At the FDA, 3,500 employees are expected to lose their jobs. They’ve been told that medical device reviewers won’t be affected, Clark said, but they know nothing about whether reviewers who support the process are at risk.
Frank Pallone Jr., D-N.J., ranking member of the House Energy and Commerce Committee, said at HHS, staff are showing up at work and are finding their positions have been terminated. Pallone said ordinarily, he’d be interested in a discussion on medical devices, but indicated that layoffs were more top-of-mind.
Panelists taking part in the Oversight and Investigations Subcommittee discussion on “Aging Technology, Emerging Threats: Examining Cybersecurity Vulnerabilities in Legacy Medical Devices” were asked about the impact of FDA staff reductions on medical device security.
“Tremendous,” said Kevin Fu, professor from the department of Electrical and Computer Engineering at the Khoury College of Computer Sciences at Northeastern University. Fu formerly served as the inaugural acting director of Medical Device Cybersecurity at the FDA’s Center for Devices and Radiological Health (CDRH) and program director for Cybersecurity at the Digital Health Center of Excellence.
Fu said losing cybersecurity subject matter experts would be difficult. He also advised that funding not be taken from the National Institutes of Health.
Erik Decker, vice president and CISO at Intermountain Health, said the FDA is a key stakeholder in cybersecurity efforts.
“Yes, it will have an impact,” Decker said.
Medical device manufacturers, hospitals and the FDA partner, he said. HHS, the FDA and the healthcare industry have established numerous task groups under the Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG).
However, Decker said, analysis shows that on average, hospitals only have about 55% of the Health Industry Cybersecurity Practices (HICP) recommended practices for medical device security implemented.
Decker said there are four groups of threat actors: nation-state actors, organized crime, “hacktivists” and insider threats.
Panelist Greg Garcia, executive director, Health Sector Coordinating Council Cybersecurity Working Group, said next week they will release a white paper on how health systems are undersourced in finances and staffing for cybersecurity protection.
One major issue, panelists agreed, is that while cyberattacks through medical devices are a real threat, there is no method for detection.
There are not a lot of ways to monitor when the risks occur on medical devices, said panelist Michelle Jump, CEO of MedSec.
Hospitals would likely not discover something planted on a medical device, said Dr. Christian Dameff, emergency physician and co-director for the Center for Healthcare Cybersecurity at the University of California San Diego Health.
There are easier ways for cyberattackers to make ransomware demands on hospitals, Dameff said. But flaws can be exploited. He knew of hospital staff that bought parts for a scanner off of eBay because a new scanner was too expensive.
“Though there have been no known public attacks against medical devices to cause harm to a patient, the studies and research have shown that such an attack is possible,” Decker said in his opening statement. “One such study in 2011 showed how it was possible to compromise an insulin pump to deliver fatal dosages of medications, though it has never been reported to have happened.”
On Jan. 30, the Cybersecurity and Infrastructure Security Agency and the FDA released an alert about a Chinese-made patient monitor that had a hidden backdoor that could enable remote control and data exfiltration, said Congressman Gary Palmer, R-AL, chairman of the Subcommittee on Oversight & Investigations.
Palmer said in some instances older devices were made before existing cybersecurity requirements were established.
“There is a broad range of medical devices that can be vulnerable to cybersecurity threats, but examples include patient monitors, infusion pumps and imaging systems. With over 6,000 hospitals in the U.S., each housing a range of rooms and beds and an average of 10 to 15 connected devices per bed, it is clear how integral medical devices are to delivering healthcare in the U.S.,” Palmer said.
The hardware can last 10 to 30 years, but the software becomes obsolete much sooner, he said. Patching and updating software are common ways to address cybersecurity vulnerabilities, he said, “but it is unlikely that such vulnerabilities can be sufficiently mitigated through these approaches due to outdated technology and compatibility issues.”
Email the writer: [email protected]
link